80d20afca98b4cb59f66788a1d3b8b6850fbb4eea5755394de35fca08288750b

General

Target

139f542d8e1cebeaa9c9c823751d29a1.exe
Size

506KB
MD5

139f542d8e1cebeaa9c9c823751d29a1
SHA1

ae2a966eba4a2a0cc33cd902c82e535e3109ff01
SHA256

80d20afca98b4cb59f66788a1d3b8b6850fbb4eea5755394de35fca08288750b
SHA512

4480895893e34b48d348584c150770720d2ab19e5e27df3e5e8f664d30d6d050ac06ed2e90da05f6bad56a5a4ebca51ac4d02e88e1a868dd50058c8b848826e6
SSDEEP

12288:9ZIvhoCPofm3yNEiQHxqh0jLajnJHOcd6D:b+ViEZHxm5LFr6D

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2468	139f542d8e1cebeaa9c9c823751d29a1.exe

Executes dropped EXE 1 IoCs

pid	Process
2468	139f542d8e1cebeaa9c9c823751d29a1.exe

Loads dropped DLL 1 IoCs

pid	Process
2660	139f542d8e1cebeaa9c9c823751d29a1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2468	139f542d8e1cebeaa9c9c823751d29a1.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2468	139f542d8e1cebeaa9c9c823751d29a1.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2660	139f542d8e1cebeaa9c9c823751d29a1.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2660	139f542d8e1cebeaa9c9c823751d29a1.exe
2468	139f542d8e1cebeaa9c9c823751d29a1.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2468	2660	139f542d8e1cebeaa9c9c823751d29a1.exe	28
PID 2660 wrote to memory of 2468	2660	139f542d8e1cebeaa9c9c823751d29a1.exe	28
PID 2660 wrote to memory of 2468	2660	139f542d8e1cebeaa9c9c823751d29a1.exe	28
PID 2660 wrote to memory of 2468	2660	139f542d8e1cebeaa9c9c823751d29a1.exe	28
PID 2468 wrote to memory of 2812	2468	139f542d8e1cebeaa9c9c823751d29a1.exe	29
PID 2468 wrote to memory of 2812	2468	139f542d8e1cebeaa9c9c823751d29a1.exe	29
PID 2468 wrote to memory of 2812	2468	139f542d8e1cebeaa9c9c823751d29a1.exe	29
PID 2468 wrote to memory of 2812	2468	139f542d8e1cebeaa9c9c823751d29a1.exe	29

C:\Users\Admin\AppData\Local\Temp\139f542d8e1cebeaa9c9c823751d29a1.exe
"C:\Users\Admin\AppData\Local\Temp\139f542d8e1cebeaa9c9c823751d29a1.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Local\Temp\139f542d8e1cebeaa9c9c823751d29a1.exe
  C:\Users\Admin\AppData\Local\Temp\139f542d8e1cebeaa9c9c823751d29a1.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\139f542d8e1cebeaa9c9c823751d29a1.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\139f542d8e1cebeaa9c9c823751d29a1.exe

Filesize
256KB

MD5
0654d63decdd52f9764d9290dfb63137

SHA1
e14b45f8e24d43d3bdf32d8d0ce71c85d7721a7d

SHA256
ff07cd8cb6f9c89250bef58e261531f256523d3e2fe929c21b94a8e281948324

SHA512
d040cad02bae0a422444f2fd88f1b790e98ca632029e8c320b454f678677f84f4319c3ca7b751161ca22de2fe57e80aff50f317da6fb219fd65a16395d82c078

Download Submit
C:\Users\Admin\AppData\Local\Temp\139f542d8e1cebeaa9c9c823751d29a1.exe

Filesize
192KB

MD5
76a16e1ecee5396929cea058309b8412

SHA1
763f825123736ad4ab012eab45418b82a7f12f5d

SHA256
3f9fe01d176c8a270de64a63560ba877a24a69d67d76ee46082595fb1b495907

SHA512
7ea3f857e5ae4c0805dfffc82677822f2441e1a6b0b2da4ab99b68aefcb6d2aee6961648d0c79f00445b7e97465529b6395006832693d27491e537e31a7c845e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8C4A.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8C9B.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\139f542d8e1cebeaa9c9c823751d29a1.exe

Filesize
506KB

MD5
40690de732a1afd94a49bca457b994cd

SHA1
5cbe1842fec7f37c390ee85c7f67dd1cbe0f6dec

SHA256
4ae5a50f5d404e4b43d7ec2bec414cbe9a0a669fb5d1454e94ccc6092f5b8180

SHA512
3fc59d147a26973c5894b07ad2c2d9380a78feb02e4d9b2ebb30886be10c277a9b4f785f94d93a3135db15ebacf01e90e0dd2e568047605ee085c1449022aeb0

Download Submit
memory/2468-19-0x0000000001490000-0x0000000001513000-memory.dmp

Filesize
524KB

Download
memory/2468-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2468-25-0x0000000001520000-0x000000000159E000-memory.dmp

Filesize
504KB

Download
memory/2468-64-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2660-15-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2660-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2660-12-0x0000000002D20000-0x0000000002DA3000-memory.dmp

Filesize
524KB

Download
memory/2660-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2660-1-0x0000000001490000-0x0000000001513000-memory.dmp

Filesize
524KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads